CVE-2019-11409

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-11409. PoCs published by Metasploit, Dustin Cobb, bcoles, including Metasploit module exploits/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits an authenticated command injection vulnerability in FusionPBX versions 4.4.3 and prior via the `exec.php` file in the Operator Panel. It allows execution of arbitrary commands as the web server user by leveraging the FreeSWITCH event socket interface.

Description

app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/47697

View Code ZIP pw:eip

This Metasploit module exploits an authenticated command injection vulnerability in FusionPBX versions 4.4.3 and prior via the `exec.php` file in the Operator Panel. It allows execution of arbitrary commands as the web server user by leveraging the FreeSWITCH event socket interface.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FusionPBX <= 4.4.3

Auth required

Prerequisites: Valid credentials with `operator_panel_view` or admin permissions · Access to the Operator Panel

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Dustin Cobb, bcoles · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.rb